CVE-2025-66084

Vulnerability

Overview

The FluentCommunity plugin for WordPress, versions up to and including 2.0.0, contains a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, allowing exploitation of broken access control mechanisms [1]. The issue is classified as a missing authorization, authentication, or nonce token check in a function that could lead to an unprivileged user executing certain higher-privileged actions [1].

Exploitation and

Attack Surface

An attacker can exploit this vulnerability without requiring authentication or special privileges, as a low-privileged user, depending on the specific missing check. The attack surface is broad because the plugin is widely used, and such vulnerabilities are often targeted in mass-exploit campaigns against thousands of websites regardless of traffic size or popularity [1]. No special network position is needed; the attack can be performed remotely over HTTP.

Impact

Successful exploitation allows an unprivileged user to perform actions that should require higher privileges, such as modifying settings, accessing sensitive data, or performing administrative functions. The CVSS v3 base score is 4.3 (Medium), indicating a moderate severity with low impact on confidentiality, integrity, and availability [1]. However, the potential for mass exploitation increases the real-world risk.

Mitigation

The vendor has released version 2.1.0 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, contacting the hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-update for vulnerable plugins [1].